Hey, Microsoft Partners -Are Your Customers Asking This Question Yet?

I have a buring quetions brewing for months. It's a question for those of you that implement/manage Microsoft Business Central. This is my question: has data sovereignty bubbled up the list of questions you are being asked? Does it now feature in your account management and discovery day meetings more frequently?

For I am, for sure seeing my business IT feeds now regularly populated with discussions on digital sovereignty. About UK & European initiatives to build out sovereign secure systems for themselves.

When a company moves its entire financial operation, supply chain, manufacturing BoMs and customer data into Business Central, on the cloud and as it stands today, that company is placing the core of that business into American cloud and thus American jurisdiction. I suspect it will be customer awareness that drives how often this is raised in your discovery calls or not, as the perceived risk is real.

Customers are evaluating Business Central against SAP, Odoo, Sage that they know to be European or UK companies, although I suspect, and have not researched, that those companies make use of American services, even if it is only to send data to be processed and received back.

Sovereign Cloud, to me is not the answer

So what are you all saying to the customer?

The American cloud providers are rushing to reassure European businesses. AWS has recently launched its European Sovereign Cloud, which is what sparked off this blog post. Microsoft has its European Digital Commitments white paper talking sovereign cloud. I am sure these solutions are air-gapped from the rest of Microsoft or AWS, but that is not the actual problem. Instead it's a question of trust - just who owns the company that runs them? A lot of the systems we use, such as SSL certificates, are based on trusting the stack of players offering that service. We will talk more on trust in a moment.

Jurisdiction & the Trust Problem

For data held by an American owned company, regardless of the geo location of that data, there are legal mechanisms to hand that data over, even without notice to the owner of that data. The Cloud Act enables this. Yes there is legal process around this, but in a world that is act first and deal with the legal consequences later, legal process is of little reassurance.

In the current world political climate it is not going to cut it anymore to stand up a German AWS/Microsoft data centre having an American parent company, with some segregated personnel and infrastructure, thus calling it sovereign.

Commitments to European legislation compliance is not the same as providing 100% legal protection. I could be wrong here, but they feel like sales tools to reassure customers - and that does not protect against the CLOUD Act, or against political pressure applied quietly in the background by covert operations, perhaps without a court order ever being issued.

The question European businesses need to ask is do I trust the company and country holding my company IP?

Could encryption be the answer?

The advice offered when data sovereignty concerns are raised is to encrypt everything. However, after I attended a lecture on "encryption in a post quantum computing world", I learnt it is no longer a future concern, it is a now concern. It is thought that there are many state actors that are almost certainly harvesting encrypted data streams today with the intention of decrypting them once quantum capability matures. Maybe it's tin foil hat talk, but "Harvest now, decrypt later" is a documented strategy. Telling a European manufacturing firm, a pharmaceutical company, or a defence contractor to just encrypt the data is valid - but make sure it's encryption safe against quantum computers. However this is not helpful unless the SaaS provider offers a solution, and where the product is a product like BC, so...

So where are we at?

Europe and the UK are building out European owned cloud infrastructure, a process hastened by recent times, but where is that going in relation to products like BC? How do Microsoft navigate this?

The sovereign cloud technical offerings from AWS and Microsoft are there to reassure customers, but in my view these companies are dealing with a much greater trust problem that is way beyond those companies themselves.

So, tell me Business Central Partners...

• Tell me what you are finding out there on the ground in Europe and the UK, with your current or prospective customers?
• Tell me, is this a question starting to bubble up more often than before?
• How do you reassure the customer that the company data they value is safe from being passed to competitive countries, or emails being harvested and used for blackmailing corporate executives ten years down the line? - Hey, perhaps valid in 2026, right?